Onion Hidden Service VPS Hosting

Tor v3 hidden services use 56-character onion addresses derived from an Ed25519 public key. The address is self-authenticating, end-to-end encrypted between client and service, and never advertises a clearnet IP. The recommended deployment pattern for high-sensitivity services is onion-only: the VPS firewall drops all inbound clearnet traffic, the web server binds only to the loopback interface, and the tor daemon is the single process that talks to the outside world. This kills the most common deanonymization vector, which is a misconfigured web server leaking its public IP through default error pages, server-status endpoints or upstream redirects.

The HiddenServiceDir lives on the VPS filesystem and contains the secret key that defines the onion address. Back this directory up to an offline encrypted volume; if it is lost the onion address is gone permanently. If it is compromised, anyone with the secret key can impersonate the service. Set the file permissions to 0700 owned by the tor user, and avoid keeping copies on any device that is not under your direct physical control.

AnubizHost provisions onion-capable VPS plans with the tor package preinstalled on request. Operators typically deploy a minimal nginx or caddy on 127.0.0.1, point the HiddenServicePort 80 directive at it, and start serving traffic within ten minutes of provisioning. There is no DNS step, no certificate authority involvement and no clearnet exposure required at any point in the deployment.

Vanity onion addresses use brute-force key generation to produce an address starting with a chosen prefix. This is purely a usability feature; the cryptographic strength of the resulting key is identical to a random one as long as the prefix is short relative to the full 56-character address. The standard tool is mkp224o, which on a modern CPU generates roughly 50 million keys per second per core. A six-character prefix typically takes a few minutes to find on an 8-core machine. An eight-character prefix takes hours to days.

Do not generate vanity keys on a shared workstation or a VPS provider that you do not trust with the resulting private key. The recommended practice is to spin up a temporary high-CPU instance, generate the key in RAM, encrypt the resulting HiddenServiceDir with age or gpg, transfer it to the production VPS over an authenticated channel and then destroy the generator instance. AnubizHost offers high-clock dedicated nodes that can be rented for short periods specifically for vanity-key workloads.

Avoid public vanity-key services. Several websites offer to generate custom onion addresses on your behalf, but the operator necessarily holds the secret key for as long as the generation runs and could trivially keep a copy. Generate your own keys on infrastructure you control, period. This is the kind of operational discipline that separates a serious onion deployment from a hobby one.

The single most common deanonymization for onion services is a web-server misconfiguration that leaks the clearnet IP. Nginx default error pages, Apache mod_status endpoints and PHP fatal-error backtraces all routinely include the public hostname or the public IP. Disable server tokens, set server_name to the onion address only, route 4xx and 5xx responses through a generic template that does not include hostnames, and make sure that no internal subrequest or upstream proxy hits a clearnet endpoint that could echo the source IP back.

Time leaks are the second-most-common deanonymization vector. A hidden service that publishes content with timestamps in the local timezone, or that responds with an HTTP Date header that drifts noticeably from UTC, can be correlated with the timezone of the server's clock. Set the VPS timezone to UTC and use NTP exclusively over Tor where possible. Disable any application-level timestamping that exposes timezone-relative values.

Outbound traffic from the onion VPS is the third vector. If the service ever connects to a clearnet API, CDN or analytics endpoint, the destination's logs now contain a clearnet IP that can be correlated with the onion's activity. Use the Tor SocksPort exclusively for outbound HTTP from the onion VPS. Block all outbound traffic at the firewall level except to 127.0.0.1 and to Tor directory authorities. This is restrictive but it is the configuration that an actually-anonymous onion service needs to run.